FC4 kernel performance

[Stephen Smalley]

On Thu, 2005-06-23 at 11:08 -0400, Paul A Houle wrote:
>     Two more concerns came up for me with SELinux:
> 
> (i) scalability on SMP -- I can attest that this is a nice machine:
> 
> http://www.sun.com/servers/entry/v40z/index.jsp
> 
> running four single-core processors:  this four-socket machine upgrades 
> to an eight-way machine with dual core processors -- this really changes 
> the economics of SMP and is going to push the 'sweet spot' from 2-way 
> towards 4-way and 8-way.  System-on-chip is the major path for 
> performance increases in the future,  and we might even have 16-way 
> desktop systems in a deade.  Linux 2.6 is ready,  but is SELinux?

I think so.  We used to have a major scalability bottleneck in our
access vector cache (AVC) due to use of a global spinlock, but KaiGai
Kohei of NEC converted it to RCU, and demonstrated good scalability on a
32-way system, and IBM later reported that those patches also addressed
scalability problems they were seeing.  There are still known areas
where improvement is desirable in baseline performance and network
scalability of SELinux, but the AVC was the largest obstacle to
scalability.

> (ii) reliability -- Linux 2.6 is a big advance over Linux 2.4,  but we 
> had a crash last night.  Unlike our struggles with 2.4,  we found that 
> the problem had already been reported and fixed in a recent kernel 
> version. It's hard to fix bugs that aren't easily repeatable,  and the 
> longer code paths get,  the worse things get.

Getting SELinux into the mainline kernel and getting it enabled by
default in Fedora and RHEL was a big step forward here.  We've already
seen significant maturing of the code as a result.  A set of selinux
testcases was also recently added to the LTP, and IBM has been working
on expanding that set of testcases.  So I think we are on the right
track, even though much work remains.

-- 
Stephen Smalley
National Security Agency